diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix
index c9b06d4..d915261 100644
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@@ -21,12 +21,10 @@ in
     otf = {
       enable = true;
       environment = {
-        # OTF_KEY_FILE=/fixtures/key.pem
-        # SSL_CERT_FILE=/fixtures/cert.pem
-        # OTF_LOG_HTTP_REQUESTS = "true";
         OTF_ADDRESS = "0.0.0.0:9000";
         OTF_HOSTNAME = "tofu.skdevstudios.com";
         OTF_DEFAULT_ENGINE = "tofu";
+        OTF_RESTRICT_ORG_CREATION = "true";
       };
       environmentFile = config.sops.secrets.otfenv.path;
     };
diff --git a/modules/nixos/common/otf.nix b/modules/nixos/common/otf.nix
index bbc8e03..887ad6c 100644
--- a/modules/nixos/common/otf.nix
+++ b/modules/nixos/common/otf.nix
@@ -35,7 +35,7 @@ in
           ])
         );
       default = {
-        OTF_ADDRESS = "localhost:9000";
+        # OTF_ADDRESS = "localhost:9000";
         # OTF_SITE_TOKEN = "my-token";
         # OTF_SSL = "false";
         # OTF_SECRET = "";
@@ -87,6 +87,7 @@ in
         ExecStart = "${cfg.package}/bin/otfd";
         Restart = "on-failure";
         EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
+        WatchPaths = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
       };
     };
   };
diff --git a/modules/nixos/common/sops.nix b/modules/nixos/common/sops.nix
index d40a964..b63d766 100644
--- a/modules/nixos/common/sops.nix
+++ b/modules/nixos/common/sops.nix
@@ -15,7 +15,7 @@
       otfenv = {
         owner = "otf";
         group = "otf";
-        mode = "0440";
+        mode = "0550";
       };
     };
   };
diff --git a/secrets.yaml b/secrets.yaml
index faa983c..1b0fe59 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,4 +1,4 @@
-otfenv: ENC[AES256_GCM,data:VUNLMOsgnguEgKGhFbV4gbuBLFu6jyR15D+vBoq3pO4UuDwqg91jBBDwsj7SoS9NVdnyI0F+A927w6thraJB1A9ssGluhDt/QQ4HBGCsnKVha0tnL+moccwTQoG1WG5NifBvFglhBD6ry/prCj/v2+RwjQJYebrkFmsgonk8HtForgRhYSevNTNGz1Ik/o22sF0wPSIQkB8t8cS97aY1WKpvrC7g69oXCUKW5wFZUUpYQ/DBBj8=,iv:cnD4LtfD8D/kAw4BQP4etkCubhLlv8xKSqCLgcxhL64=,tag:gKrBOMwuJVK1fpzJ1Mb7+g==,type:str]
+otfenv: ENC[AES256_GCM,data:WUiT8yCIaC0xMPRwnXN5iOAk7rd9xnwqm1yB0AY753Opt+5pPaQBcueiiC37bdwGtbLBGqHuepaR9Xl3aapNxlebblQH18Y0DUCsGrTvtOUlSVW73h1/3/v3RJbSR6VdlwFFM9WPfqXzWzw3Jz+b1DjJvFYC8sDg0kY/jWoMA5uLiAXwtAGgiRKJN9m0Haumuad5GHIa7hO5aryHQmxuz5Ml8lV9ZP3lGWVZyF/pS/Javz6A7pm41/+9TNAlBE5roDUgcm/oJAm62zdSQvJ/BHP3,iv:7cC5/OeYA4l/kq01tHjk8Iz6nAi78+rrPMUz9R6f440=,tag:VBZwlaVlfJWDEY1p+cH0aA==,type:str]
 sops:
     age:
         - recipient: age1ja6zky2xlptgmu04ghp30z9gcyw240p4p8jpqeznt9msmmrwjdjshl6rx3
@@ -28,7 +28,7 @@ sops:
             Q3E1Y1pOR0NjN1M3RXFueU1YUzdZNm8KvmAh6XclVmdX2hDtRbBuYRF4mSCrIjJ6
             P6JYyzB+aZXkbRiw0L7KoHOuQ1LyV0m3LOANcqpUn6phh0CNWxOmlg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-15T01:44:03Z"
-    mac: ENC[AES256_GCM,data:PtAb0uSPPk4gZ+OeLnJfgvkpNHC/057R8HJjS+jCbsY3LVk8PlH75MA/25uBzwaDzTQ1yd5NMpNF4NJrLSAptK9HrrjUQENjOGLivCWKhT6lB7ITqXwHaiIQWkuLTg+nGKG/99TQQl71JQJ5KgS2Y7Q7jBCdOKdNzGseAWnAc+g=,iv:0/4eF3K8yhoRR+ptlmczj8Hhy80fwHu0rxSnPPAVWnU=,tag:jchwJIsSIXln5iFCXjydeg==,type:str]
+    lastmodified: "2025-06-15T02:57:18Z"
+    mac: ENC[AES256_GCM,data:YDeN1yB5ostOfq1YQM7O5KDp3h9x2VUj4AshsEAPwlKeIPXgQFqbRn9ev30Bw6Yw8M/6xCKJsZv6HoGqlRmZhIMDqkzYmPx9wI/jHFRWa8IhadlPKFNkftIdFrreejxy1naw1ylWSJWnTSKvKzzpELFxR2xJp7BGVSJN+hJxOfM=,iv:Dbl7dfcZYWoyNQw1Tg+36mloSwTLUz8tb2xb4b60sZw=,tag:gK59ee3bG40NqOj0Vb9L4A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2